pilcrowonpaper / copenhagen Goto Github PK

I can translate the book to Arabic, but we need malta to support internationalization first

The "Sessions" guide contains the following:

CSRF protection must be implemented when using cookies, and using the SameSite flag is not sufficient.

This is somewhat true, but there is some additional nuance here.

My understanding is that SameSite=Lax (or Strict) is sufficient CSRF protection if the following conditions are met:

• The user's browser supports it. Global support is currently ~96%
• GET requests aren't used to mutate data on the server.
• The website/application doesn't surface user-generated content (such as the ability to post links, forms, etc).

As with anything related to auth, there are plenty of edge-cases (as listed above) but generally I think SameSite=Lax or SameSite=Strict could be recommended as a sufficient method of CSRF protection in certain circumstances.

Interested to hear your thoughts and, if you agree, I'm happy to modify the "SameSite cookie attribute" section of the "CSRF" guide to include this info.

• Hash (SHA-1/2/3)
• HMAC
• Private/public key (RSA, ECDSA)

In various journeys of an applications functions it's possible to infer the presence of a identity such as

New user sign up is provided an email that is checked 'that account already exists' <-- this is a point of enumeration
Forgotten Password is often a point of enumeration too altho often a little noisier <-- user doesn't exist versus email sent
Login page also a point of enumeration <-- user does not exist versus incorrect password

Areas like these should either send to the user's provided email address actions to authenticated such as how Spotify's magic link works or send an email suggesting someone has attempted to sign up using this email address if the account doesn't exist yet

where an application cannot do this, it must be aware of the enumeration and scraping potential

Does this make sense ?

I can put something in long form if needed, but in principle, how are re defending from scraping and inference based learning for unauthenticated visitors

I'm not sure if this should be part of the book since it's more general security rather than auth related

Describe and compare different ways to implement rate-limiting

Unfortunately I've never implemented SAML before